Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
38 articles found · #luxembourg · Veille Luxgap
AML/CFT information sharing: EDPB and AMLA to issue joint guidelines
The EDPB and AMLA announced joint guidelines on information‑sharing partnerships under AMLR Article 75, applicable from 10 July 2027. Goal: a GDPR‑compatible data‑sharing framework for AML/CFT.
Lithuania: €450,000 GDPR fine for lack of MFA at InMedica
Lithuania’s DPA fined InMedica €450,000 over two incidents (2024 breach, 2025 ransomware), citing lack of MFA and poor access controls under GDPR Articles 5(1)(f), 24(1) and 32(1)(b).
GDPR: no automatic damage — French Court of Cassation tightens Article 82
On 24 June 2026, the French Court of Cassation held that a GDPR breach does not, by itself, entitle a claimant to compensation: the claimant must prove damage and causation. A strong signal for data litigation across Europe.
CNIL: vehicle location data — new recommendation
On 30 June 2026, the CNIL issued a recommendation on the use of vehicle location data. It clarifies ePrivacy consent, multi-user rights, security, data minimisation and the need for DPIAs.
AI Act D-31: transparency on 2 August, machine-readable marking by 2 December
The EU Council confirms AI Act transparency duties from 2 August 2026, with a grace period until 2 December 2026 for machine‑readable marking of AI-generated content.
NIS 2 Luxembourg: 9 days to ILR self‑registration
Essential and important entities in Luxembourg must self‑register with the ILR by 10 July 2026. Legal basis, risks, and this week’s action plan.
ShinyHunters exploits Oracle zero‑day: NAIC hit, 100+ organizations
Oracle confirmed a PeopleSoft zero‑day (CVE‑2026‑35273) exploited by ShinyHunters. NAIC reports unauthorized access; 3.1 TB stolen and 100+ organizations compromised.
EDPB updates its Objection & Erasure digest and launches a form
On 25 June 2026, the EDPB updated its OSS digest on the rights to object (Art. 21) and to erasure (Art. 17) and, on 24 June, launched a form to report divergences in GDPR interpretation.
Italy — AgID fined €55,000 for INAD/INI‑PEC transparency failures
The Italian Garante fined AgID €55,000 for transparency and privacy‑by‑design failures when moving PEC addresses from INI‑PEC to INAD. A warning shot for public registers and data reuse.
DORA — Third-country branches: ICT register due by June 30
DORA’s final stretch in Luxembourg: third‑country bank branches must submit their ICT register to the CSSF by June 30, 2026 at the latest. Here is how to get it done this week.
EDPB — Scientific research: last chance to comment
On 25 June 2026, the EDPB closes its public consultation on Guidelines 1/2026 for processing personal data for scientific research. Key clarifications on legal basis, broad consent, and GDPR Article 89 safeguards.
Evidence and personal data: France’s Supreme Court draws a clear line
On 17 June 2026, the French Supreme Court allowed an analysis report based on pseudonymised data as evidence, where necessary and strictly proportionate. A green light for carefully run internal investigations.